The new EU-US Data Privacy Framework has come into force. And now?

by Katrin Nebermann

On July 10, 2023, the European Commission adopted the new data protection framework for the transfer of personal data to the USA. In order for data to flow to the United States in compliance with the GDPR, US tool providers must meet certain conditions to be included in this new list: https://www.dataprivacyframework.gov/s/

As soon as the companies are listed there, Microsoft 365, Zoom, Google Analytics & Co. may be used again in accordance with Art. 44 GDPR. However, this does not mean that all other requirements of the GDPR or the TTDSG are automatically fulfilled. For Google Analytics, for example, the vote of the supervisory authorities still applies that data may only be collected with prior consent (see https://www.datenschutzkonferenz-online.de/media/dskb/20200526_beschluss_hinweise_zum_einsatz_von_google_analytics.pdf).

Very important: The consent requirement also applies when using server-side tracking with Google Analytics. On 30 June 2023, the Swedish Data Protection Authority (IMY) demanded in the proceedings against Coop that all identifiers and not just the IP address be anonymized(IMY (Sweden) – DI-2020-11368 – GDPRhub). This is practically impossible without destroying the functionality.

In this respect, the data protection framework does little to change current marketing practice and the number one challenge in web analytics: ensuring reliable data quality. This is because mandatory consent plus tracking blocking and tracking protection (ITP) jeopardize the database and cause distortions in the analyses.

On average, 65% of data is lost when consent is required, as the latest benchmark study by etracker shows:

The average is likely to fall even further if the consent and reject buttons are designed to be equivalent, as required by the supervisory authorities:

No need to worry about massive data loss with etracker analytics

With etracker analytics, you don’t have to worry so much about consent rates, because by default, cookie-less data collection based on the overriding legitimate interest according to the GDPR does not require prior consent from users. The 10-20% data loss due to tracking blocking can also be prevented by setting up your own tracking domain.

Mastering duty and freestyle

GDPR compliance is a legal requirement in web analytics. The key is to ensure the best possible and therefore reliable data quality, which can only be guaranteed through independence from consent. This is only possible with proven data protection-friendly processing as the mildest means for the purpose and without use for the provider’s own purposes or merging with the provider’s profile and account data. With consent-free tracking, companies are sustainably future-proofed. And who knows whether and how long the new data protection framework will last. Max Schrems has already announced a new complaint to the European Court of Justice.